FBI Warns of Mobile Malware Risks

Android Devices Hit by Two New Trojans

By , October 22, 2012.
FBI Warns of Mobile Malware Risks

The Federal Bureau of Investigation has issued a consumer alert warning of malware attacks against mobile devices that run the Android operating system.

See Also: Automate and Standardize your IAM to Radically Reduce Risk

Trojans pose serious risks for any personal and sensitive information stored on compromised Android devices, the FBI warns. But experts say any mobile device is potentially at risk because the real problem is malicious applications - which in an open environment are impossible to control. And anywhere malicious apps are around, so is the potential for financial fraud.

Two Trojans

The alert from the Internet Crime Complaint Center, a unit of the FBI, addresses two new Android Trojans known as Loozfon and FinFisher.

Recent attacks showed Loozfon has the ability to steal a mobile user's phone number as well as contact details. In one type of Loozfon attack, unsuspecting consumers were lured in by advertisements promoting fraudulent work-at-home opportunities.

The alert does not specify how those ads were promoted - through e-mail, SMS/text or both. But the FBI warns that links within the ads lead to websites designed to push Loozfon to users' device.

FinFisher, on the other hand, is spyware that targets Android smart phones, hijacking specific components that enable hackers to remotely control and monitor a compromised device, regardless of its location. The spyware is transmitted to a smart phone by clicking infected web links or by opening SMS messages sent directly to the mobile user, usually falsely appearing to provide links to system updates, the FBI states.

Bad Rap for Android?

Jason Malo, a research director at CEB TowerGroup who focuses on financial fraud and mobile, says the Android operating system is not the cause of the problem.

"It's the openness of the app marketplace that allows malware to run rampant," Malo says, not the Android OS itself.

"This is one of the first consumer-focused, security-oriented lists for mobile I've seen," Malo says. "That's a good thing, but it also is a pretty definite signal that security is becoming a problem."

Until the mobile industry can figure out a way to better control or vet readily available apps, mobile malware concerns will mount, Malo contends. "I'm not saying there should only be one store, but there does need to be some sort of reputational measure, akin to what SSL [secure socket layer] site certificates can help provide."

Link to Financial Fraud

George Tubin, a malware and financial security expert at anti-malware vendor Trusteer, says the FBI's warning is alarming because these types of attacks can easily lead to incidents of financial account takeover.

"What I think may happen, and what may have already happened and triggered the FBI to issue this alert, is that login credentials, such as username and password, for online banking access could be stolen," Tubin says. "When a hacker gets access to a mobile device and is able to take it over, he can get all of the information that is on that device."

So mobile users who access online accounts through mobile browsers, or those who save online-banking credentials somewhere on their devices, are at obvious risk, he says. Additionally, any online purchase that is made through an e-commerce site on a compromised device also could expose credit and debit details, including three-digit security codes required for card-not-present transactions, he adds.

"There also could be vulnerabilities for P2P [peer-to-peer] payments," Tubin says. Anytime a transaction is routed through a mobile device that has been infected, it's safe to assume the hackers who infected that device are monitoring everything the user does, he adds.

"We've heard about mobile malware concerns for a while, and the vulnerabilities inherent to Android because of its openness," he says. "But the alerts we are now seeing coming out from the FBI are highlighting some very different attack vectors. We have to take these threats seriously."

Exploited Security Features

In its list of privacy concerns, the FBI notes that the activation of geo-location features, which some institutions have relied on to help authenticate mobile users and transactions, can be exploited for fraudsters' gain.

The FBI alert does not link geo-location features with increased concerns for data compromise. But it suggests a compromised mobile device with enabled geo-location features poses physical risks, "raising concerns of assisting a possible stalker and/or burglaries."

Tubin says out-of-band authentication on mobile devices also can increase the risk of fraud.

"If a mobile phone is hacked, those SMSes that include one-time passcodes for online transaction approval can be redirected to criminals," he says. If the online account of that mobile user has already been compromised, then the hacker has just bypassed the out-of-band authentication measure.

Securing Mobile Devices

While the FBI alert notes security and privacy concerns specific to Android, it recommends 13 security precautions. The list suggests:

  • Turn off additional mobile features, even those set up in default settings, that are not being used;
  • Encrypt mobile operating systems;
  • Before downloading any app, read reviews about the app developer or company publishing the app and understand user app permissions that will be allowed once the app is downloaded;
  • Use passcodes to protect mobile devices and enabling screen-lock features after inactivity;
  • Install mobile malware protection;
  • Install anti-virus and file integrity software;
  • Turn off geo-location features;
  • Be aware that jail-breaking or rooting increases a mobile device's risks. "Anytime an application or service runs in 'unrestricted' or 'system' level within an operation system, it allows any compromise to take full control of the device," the FBI says.
  • Avoid connecting to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
  • Reset or wipe devices before they are sold or traded;
  • Keep smart-phone software patches and upgrades up to date.
  • Avoid links or software downloads from unknown sources; and
  • Use the same precautions on a mobile device as you would use on a PC.
  • Follow Tracy Kitten on Twitter: @FraudBlogger

    • Print
    • Tweet Like LinkedIn share
    Get permission to license our content for reuse in a myriad of ways.
    ARTICLE Serious 'GHOST' Flaw Puts Linux at Risk

    US-CERT warns that all Linux distributions should be immediately updated to patch "GHOST," a...

    Latest Tweets and Mentions

    ARTICLE Serious 'GHOST' Flaw Puts Linux at Risk

    US-CERT warns that all Linux distributions should be immediately updated to patch "GHOST," a...

    The ISMG Network